Last-Visited MRU

Description:

Description: Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application.

Location:

• C:\Users\<username>\NTUSER.DAT
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Notes: Tracks the application executables used to open files in OpenSaveMRU and the last file path used.

Analysis: The LastVisitedPIDlMRU seems to generate an entry anytime an executable leverages Windows Explorer to open a file. I'm still researching to determine if it's actually tied to entries within the OpenSaveMRU key.



Using Registry Explorer by Eric Zimmerman, we can load the NTUSER.DAT registry hive from the user account that we're analyzing and select the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPIDlMRU registry key.



The LastVisitedPIDlMRU registry key tracks the executable and folder path of the file that was opened, but not the file itself.